KVM-VMI

KVM-based Virtual Machine Instrospection.

Table of Contents

• Overview
• Installation
• Presentations
• References
• Maintainers
• License

Overview

This project adds virtual machine introspection to the KVM hypervisor.

Virtual Machine Introspection is a technology that aims to understand the guest's execution context, solely based on the VM's hardware state, for various purposes:

• Debugging
• Malware Analysis
• Live-Memory Analysis
• OS Hardening
• Monitoring
• Fuzzing

See the presentations section for more information.

This project is divided into 4 components:

• kvm: linux kernel with vmi patches for KVM
• qemu: patched to allow introspection
• nitro (legacy): userland library which receives events, introspects the virtual machine state, and fills the semantic gap
• libvmi: virtual machine instrospection library with unified API across Xen and KVM

At the moment, 2 versions of VMI patches are available for QEMU/KVM in this repository:

Installation

Follow the Setup guide

Presentations

• Bringing Commercial Grade Virtual Machine Introspection to KVM
• KVM Forum 2019: Advanced VMI on KVM - A Progress Report
• Hack.lu 2019: Leveraging KVM as a Debugging Platform
• Advanced VMI on KVM: A Progress Report

References

The legacy VMI system contained in this repo (Nitro) is based on Jonas Pfoh's work:

• Nitro: Hardware-based System Call Tracing for Virtual Machines
• Nitro - VMI Extensions for Linux/KVM

Maintainers

@Wenzel

License

GNU General Public License v3.0